In Valorant, “needs Secure Boot” means Vanguard requires UEFI Secure Boot and TPM 2.0 enabled to pass anti-cheat integrity checks.
What Does It Mean When Valorant Needs Secure Boot? Explained For Players
When the launcher says what does it mean when valorant needs secure boot?, it’s pointing to a Windows setting at the firmware layer. Secure Boot tells your PC to load only trusted startup code. Riot’s Vanguard checks that setting at boot, and on Windows 11 it also looks for TPM 2.0. If either is off, Valorant blocks matchmaking with a VAN error until the trusted state returns.
Quick Answer And Why It Matters
Secure Boot reduces room for cheat loaders that try to slip in before Windows starts. Vanguard leans on that trusted start to keep the kernel clean. You don’t gain frames from turning it on, but you gain a cleaner base and you clear the Vanguard gate so the game runs without protests.
Valorant Secure Boot And TPM: Fast Facts
| Item | What It Means For Valorant | Where To Check |
|---|---|---|
| Secure Boot | Limits boot to signed code so Vanguard trusts the session. | UEFI firmware menu under Boot/Security. |
| TPM 2.0 | Hardware chip or firmware module that attests system state. | Windows “Device Security” or tpm.msc. |
| UEFI Mode | Needed for Secure Boot; Legacy/CSM blocks it. | Firmware “Boot Mode” setting. |
| VAN 9001/9003/9090 | Error group tied to Secure Boot/TPM on Windows 11. | Shown in Valorant client banner. |
| Windows 10 | Vanguard can run without TPM on this OS in many cases. | Still benefits from Secure Boot on. |
| Dual-Boot | Unsigned loaders can flip Secure Boot state. | Re-enable certs, set Windows Boot Manager first. |
| Custom GPUs/Drives | Old option ROMs may break signature checks. | Update firmware; use UEFI boot entries. |
| BIOS Updates | Vendors ship fixes that restore Secure Boot databases. | Vendor site updater. |
How Vanguard Uses Secure Boot
Valorant Needs Secure Boot Meaning And Fixes
This message is a plain flag from the anti-cheat. It says your boot chain isn’t meeting the trust checks Riot expects. The fix sits in firmware, not in the game files. Then test match launch again now.
Why The Message Pops Up
- You switched to a cloned MBR drive.
- You flashed an old GPU with a legacy VBIOS.
- The firmware reset to defaults after a power event.
Vanguard sits low in the stack. It checks that the boot chain remains signed, then loads its driver only when the chain passes. That chain starts in UEFI firmware, flows through bootloaders, and hands off to Windows. The design blocks loaders that try to hook the kernel before the desktop. With Secure Boot and TPM 2.0 on Windows 11, Vanguard can trust measurements stored in the TPM during early start.
Can You Play Without Secure Boot?
On Windows 11, the answer is no. Vanguard needs both Secure Boot and TPM 2.0. On Windows 10, many rigs still launch the game with Secure Boot only. If you meet the OS and firmware checks, you queue. If you don’t, you’ll see a VAN code and the client closes.
Check Your Current Status In Minutes
Inside Windows
Press Win+R, type msinfo32, and look for “Secure Boot State.” For TPM, press Win+R, type tpm.msc, and look for “TPM Manufacturer Information” and “Specification Version.”
Inside Firmware
Reboot to UEFI: Settings → System → Recovery → Restart now (under Startup) → Troubleshoot → UEFI Firmware Settings. Then open the Boot or Security page and view the Secure Boot toggle and enrolled certs.
What Blocks Secure Boot
Common roadblocks include Legacy/CSM mode, disk set up as MBR instead of GPT, old GPU option ROMs, or missing platform certs. On laptops, a preloaded “Setup Mode” can leave Secure Boot off until certs get installed. On custom builds, a drive cloned from an old MBR install can keep the board locked in Legacy mode.
Safe Path To Turn It On
Prep Steps
- Back up anything that matters.
- Update motherboard firmware and chipset drivers.
- Update your GPU VBIOS only if the vendor provides a UEFI version.
- Confirm your system boots in UEFI and the system disk uses GPT.
Enable Steps
- Enter UEFI setup and switch Boot Mode to UEFI.
- Set Windows Boot Manager as the first boot entry.
- Load factory certs (PK, KEK, DB, DBX) if the firmware shows “Setup Mode.”
- Toggle Secure Boot to Enabled.
- On Windows 11, ensure TPM 2.0 is Active and Ready in
tpm.msc. - Reboot, then check
msinfo32again.
Fix The Common VAN Errors
VAN 9001
Often means Secure Boot is off or in Setup Mode. Load certs, enable the toggle, save, and reboot. If the board shows “User Mode,” you’re set.
VAN 9003
Points to TPM 2.0 on Windows 11. Open tpm.msc, check status, and enable fTPM/PTT in firmware if needed. Clear TPM only if a vendor guide asks for it.
VAN 9090
Appears on some boards after firmware updates. Refresh Secure Boot certs and place Windows Boot Manager first. If the error returns, reinstall Vanguard from the Riot client.
Secure Boot In Valorant On Windows 11
Windows 11 made Secure Boot and TPM 2.0 baseline for Riot’s trusted start. This setup is the baseline now. That’s why the client calls it out so bluntly. On this OS, the anti-cheat checks the boot chain and the TPM measurements before it loads. If the chain breaks, the client exits and shows a VAN code with a hint toward firmware settings.
Why Riot Ties This To Anti-Cheat
Cheat loaders try to hook the kernel before drivers claim the space. Secure Boot blocks unsigned boot code and TPM 2.0 records measurements that reflect the chain. That combo raises the bar for ring-0 hooks. Vanguard then runs with that base and watches for tampering during play.
Risks, Myths, And Real Limits
- “Secure Boot hurts frames.” No. It runs at boot and hands off to Windows. There’s no frame hit during matches.
- “Linux dual-boot stops working.” Many distros ship signed bootloaders. You can keep both setups once certs and entries are right.
- “Custom drivers won’t load.” Signed drivers load as usual. Old hardware with legacy option ROMs can be a snag until you update.
Official References If You Need Proof
Riot’s VAN 9001/9003/9090 guide and Microsoft’s Secure Boot page give the official baseline.
Typical Menu Paths By Brand
| Brand | Menu Path | Notes |
|---|---|---|
| ASUS | F7 Mode → Boot → Secure Boot → OS Type: Windows UEFI | Load certs if “Setup Mode” shows. |
| MSI | Settings → Security → Secure Boot | Switch from CSM to UEFI first. |
| Gigabyte | Settings → Miscellaneous → Secure Boot | Set Storage Boot to UEFI Only. |
| ASRock | Security → Secure Boot | Install default certs, then Enable. |
| Lenovo | Security → Secure Boot | Some models gate under Startup. |
| HP | Boot Options → Secure Boot | Turn off the Legacy toggle. |
| Dell | Secure Boot → Secure Boot Enable | Set UEFI Boot Path Security to Always. |
| Acer | Security → Select an UEFI file as trusted | Add Windows Boot Manager if needed. |
| Razer | Security → Secure Boot | Gaming laptops ship with it on by default. |
| Microsoft Surface | UEFI → Security → Secure Boot | Toggle without leaving Windows. |
Convert MBR To GPT Without A Full Reinstall
Secure Boot needs UEFI. UEFI likes GPT disks. If your system drive still uses MBR, Windows ships a tool named mbr2gpt.exe to convert in place. Create a restore point, open an admin Command Prompt, run mbr2gpt /validate /allowFullOS to check, then run mbr2gpt /convert /allowFullOS. Reboot straight to firmware, switch to UEFI mode, and keep Secure Boot on. The files stay in place since the tool only changes partition layout and boot data.
Check Secure Boot Without Leaving Windows
Open Windows Security → Device Security and view the Core isolation and Security processor views. The pages show TPM status and link to Security processor troubleshooting. You can also run powershell Get-SecureBootUEFI on many systems to read variables tied to the feature.
Dual-Boot And Custom Loaders
Signed Linux bootloaders work with Secure Boot when the right certs are present. The easiest path is to keep Windows Boot Manager first and chainload your distro from there. If a custom loader trips the check, reinstall the signed one, refresh certs, and try again.
Clean Reinstall Steps If Errors Persist
If VAN codes return after fixes, reinstall Vanguard and the game client. Uninstall Vanguard from Apps, reboot, then let Riot reinstall during the next launch. Check that Secure Boot shows “On” and the TPM is ready before you click Play.
Reasonable Tweaks For Stable Play
- Keep chipset, storage, and GPU drivers current.
- Turn off fast startup so firmware changes stick.
- Use GPT on the system drive; convert MBR if needed with the Windows tool.
- Place Windows Boot Manager at the top of the order.
- Keep one visible date on your site’s page template when you publish guides like this.
Takeaways You Can Act On Today
Enable UEFI mode, load certs, and switch Secure Boot on. On Windows 11, make sure TPM 2.0 is ready. Check again in msinfo32 and tpm.msc. Launch the game and confirm the VAN banner is gone. If you still see “what does it mean when valorant needs secure boot?” in the client, repeat the firmware steps, update the board, and try again.
Riot’s VAN 9001/9003/9090 guide and Microsoft’s Secure Boot page give the official baseline.